Open Stack

Le ven. 10 mars 2023 à 08:33, Takashi Kajinami <tkajinam at redhat.com> a
écrit :

>
>
> On Fri, Mar 10, 2023 at 4:20 PM Takashi Kajinami <tkajinam at redhat.com>
> wrote:
>
>> fyi;
>>
>> It seems the new release of bandit (1.7.5) just came out and this
>> introduces a new lint rule
>> to require defining the timeout parameter for all "requests" calls.
>>
>> https://github.com/PyCQA/bandit/commit/5ff73ff8ff956df7d63fde49c3bd671db8e821eb
>>
>> This is currently affecting heat and quick search shows some of the other
>> projects contain some code
>> not compliant with this rule(barbican, ceilometer, cinder, glance,
>> manila, nova, ...).
>>
> Seems some of these (ceilometer, cinder, glance and manila) are not using
> bandit and others(nova) have
> the upper version defined. SO it might not affect  limited number of
> projects using bandit without upper version
> but I'd recommend you check your own projects .
>
>

AFAIK, the Nova bandit specific tox target [1] isn't run on CI by any of
the Zuul jobs we have [2] (we don't include a bandit check as part of a
pep8 validation)
I tested both 1.7.4 and 1.7.5 bandit versions on the tox target locally,
and I don't see much of a difference.

Sounds the issue is then unrelated to the Nova project, to clarify.
-Sylvain


[1] https://github.com/openstack/nova/blob/master/tox.ini#L260-L265
[2] https://github.com/openstack/nova/blob/master/.zuul.yaml

Also, it seems we do not pin bandit by u-c for some reason this likely
>> affects all stable branches.
>> Actually I first noticed this when I tried to backport one fix to 2023.1
>> branch of heat...
>>
>> Thank you,
>> Takashi
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20230310/f64a9a6e/attachment.htm>